Internet-based computer software applications, or “web” applications, are often tested to determine whether they are vulnerable to malicious attacks or otherwise show signs of security vulnerabilities. One such type of testing known as “black-box” testing involves executing a web application, interacting with the application's interfaces, such as by using known forms of malicious attacks, and then searching for evidence that an interaction exposed a known type of vulnerability. Interactions with some types of web applications will often cause such web applications to return software instructions known as “client-side code” to an interacting party, where the client-side code is configured to be executed by the interacting party's, or “client's”, computer. Unfortunately, black-box testing of a web application that is executed by a computer server, where the black-box interactions with the web application are effected only at the server side, cannot identify security vulnerabilities in such client-side code.